=
DE IT
DE IT
Book now
Contacts
Book now
Contacts
EN DE IT
Contacts
Book now
Book now
+39 0565 74530 info@chgroup.eu
Request information

Book now

Do you already have a reservation? Modify or cancel it here.
Home | Privacy Policy

Privacy Policy

Privacy Policy

Privacy Policy – Cosmopolitan Hotels S.p.A.

Pursuant to Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 and Legislative Decree no. 196/2003, as subsequently amended and supplemented.

 

While browsing this website, information and personal data may be collected, as described in this privacy notice. This notice applies exclusively to this website.

 

Data Controller

The Data Controller in relation to Grand Hotel Continental is Cosmopolitan Hotels S.p.A., with registered office at Largo Belvedere no. 26 – 56128 Tirrenia, Pisa, represented by its legal representative.

The Controller has not appointed a Data Protection Officer (DPO), as it is not subject to the obligation to designate one under Article 37 of the Regulation.

 

Types of data processed and purposes of the processing

 

Browsing data

 

The computer systems and software procedures used to operate this website acquire, during their normal operation, certain personal data whose transmission is implicit in the use of Internet communication protocols.

This category of data includes:

  • IP addresses or domain names of the computers and terminals used by users;
  • URI/URL (Uniform Resource Identifier/Locator) addresses of the requested resources;
  • the time of the request;
  • the method used to submit the request to the server;
  • the size of the file obtained in response;
  • the numerical code indicating the status of the response given by the server (successful outcome, error, etc.);
  • other parameters relating to the user’s operating system and IT environment.

Such data, which are necessary for the use of web services, are also processed for the purpose of:

  • obtaining statistical information on the use of the services (most visited pages, number of visitors per hour or per day, geographical areas of origin, etc.);
  • checking that the services offered are functioning correctly.

Browsing data do not persist for more than seven days (save where judicial authorities need such data to establish whether offences have been committed).

 

Data provided by the user

 

The optional, explicit and voluntary sending of messages to the Controller’s contact addresses, private messages sent by users to the Controller’s profiles/pages on social media (where this option is available), as well as the completion and submission of the forms on the Controller’s website, entail the acquisition of the sender’s contact details, which are necessary to reply, as well as all personal data included in the communications.

The provision of certain personal data of the data subject is compulsory in order to use the requested services and failure to provide such data may make it impossible to access them. Mandatory personal data are marked with an asterisk.

Where some data are indicated as non-mandatory, the data subject is free to refrain from communicating such data, without this affecting the availability of the service or its operation in any way. Data subjects who are uncertain as to which data are mandatory are encouraged to contact the Controller.

In particular, data may be collected through:

Collection of applications via the “Work with us” page

Through the dedicated page, users can submit unsolicited applications by filling in the form available on the website. The data marked with an asterisk (first name, last name, e-mail address, telephone number) are compulsory in order to allow the Controller to contact the user again. The data provided are processed solely for the purpose of recontacting the user, on the basis of the authorisation contained in the attached CV.

 

“Book now” page

By visiting the “Book now” page, the user will be redirected to the booking engine to make a reservation. For further information, please refer to the privacy notice available on that website.

 

Cookies and other tracking systems

For further details, please refer to the cookie policy available on this website.

 

Legal basis of the processing

The legal basis for the processing is as follows:

  • processing is necessary for compliance with a legal obligation to which the Controller is subject, pursuant to Article 6(1)(c) of EU Regulation 2016/679;
  • processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, pursuant to Article 6(1)(f) of EU Regulation 2016/679;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, pursuant to Article 6(1)(b) of EU Regulation 679/2016;
  • processing is carried out on the basis of the data subject’s consent, pursuant to Article 6(1)(a) of EU Regulation 2016/679.

It is always possible to ask the Controller to clarify the specific legal basis of each processing operation and, in particular, to specify whether the processing is based on a law or provided for under a contractual or pre-contractual relationship.

 

Methods of processing

Data are processed by the company’s authorised staff and are not disclosed to unauthorised third parties.

Processing is carried out by means of IT and/or telematic tools and in an automated and/or manual form, in compliance with the security measures referred to in Article 32 of GDPR 2016/679, by specifically authorised persons and in accordance with Article 29 of GDPR 2016/679.

The Controller adopts appropriate security measures to prevent unauthorised access, disclosure, alteration or destruction of personal data.

In addition to the Controller, in some cases, other parties involved in the provision of the services offered and in the operation of this website may have access to the data (such as hosting providers, IT companies, archiving, collection, printing, mailing and e-mail management companies, communication agencies, postal couriers), as well as external parties who, where necessary, are appointed as Processors by the Controller. The updated list of Processors may be requested from the Controller at any time.

 

Transfer of personal data

Data are processed at the Controller’s operating offices and in any other place where the parties involved in the processing are located. For further information, please contact the Controller.

The data subject’s personal data are not transferred outside the European Union.

 

Retention period

In compliance with the principles of lawfulness, purpose limitation and data minimisation, as set out in Article 5 of GDPR 2016/679, the data subject’s personal data will be stored for the period of time necessary to achieve the purposes for which they are collected and processed or to defend/exercise a right.

Where processing is based on the data subject’s consent, the Controller may retain the personal data for a longer period until such consent is withdrawn. Furthermore, the Controller may be required to retain the personal data for a longer period in order to comply with a legal obligation or by order of an authority.

At the end of the retention period, the personal data will be deleted. Therefore, upon expiry of that period, the rights of access, erasure, rectification and the right to data portability can no longer be exercised.

 

Rights of the data subject

The data subject may, at any time, exercise the following rights under Articles 15 to 22 of EU Regulation no. 2016/679:

  • a) request confirmation as to whether or not personal data concerning him or her exist;
  • b) obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipient to whom the personal data have been or will be disclosed and, where possible, the envisaged retention period;
  • c) obtain the rectification and erasure of data;
  • d) obtain restriction of processing;
  • e) obtain data portability, i.e. receive them from a controller in a structured, commonly used and machine-readable format and transmit them to another controller without hindrance;
  • f) object to processing at any time; data subjects are informed that, where their data are processed for direct marketing purposes, they may object to such processing without having to provide any reason;
  • g) request from the controller access to personal data and the rectification or erasure of such data or restriction of processing concerning him or her or to object to their processing, as well as the right to data portability;
  • h) withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;
  • i) lodge a complaint with a supervisory authority. The data subject has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), with offices in Rome, via di Monte Citorio 121 (tel. +39 06696771), following the procedures and instructions published on the Authority’s website www.garanteprivacy.it.

 

Controller’s contact details

To contact the Controller, you can use the following contact details:

 

Last updated: 10/08/2022